SERIAL KILLER MIND

  Crime Classification Manual Part II Chapter 10 A 30 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   On eleven separate occasions during March 2000, Zezev illegally entered Bloomberg’s computer system and accessed various accounts, including Michael Bloomberg’s personal account as well as accounts for other Bloomberg employees and customers.

  Crime Classification Manual Part II Chapter 10 A 29 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   In March 2000, Zezev manipulated Bloomberg’s software to bypass Bloomberg’s security system to gain unauthorized access to Bloomberg’s computer system so that he could pose as different legitimate Bloomberg customers and employees.

  Crime Classification Manual Part II Chapter 10 A 28 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigation In the spring of 1999, Bloomberg provided database services to Kazkommerts. As a result, Kazkommerts was provided with Bloomberg’s software to gain access to Bloomberg’s services over the Internet. Bloomberg cancelled those services in 1999 because Kazkommerts did not pay its bill

  Crime Classification Manual Part II Chapter 10 A 27 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Forensic Findings The e-mail came from an e-mail account at a company called Hotmail that Zezev had registered under a false name. The e-mail was traced back to Kazkommerts Securities, where Zezev worked. After receiving the first e- mail, Bloomberg computer specialists were able to piece together how Zezev had broken in and rewrote the software on the Bloomberg system to prevent him from accessing the system again.

  Crime Classification Manual Part II Chapter 10 A 26 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Zezev then used that information to threaten Bloom- berg’s founder, Michael Bloomberg, that if he did not pay him $200,000, he would disclose this information to Bloomberg’s customers and the media to harm Bloomberg’s reputation. Zezev was the chief information technology officer at Kazkommerts Securities (Kazkommerts) located in Almaty, Kazakhstan.

  Crime Classification Manual Part II Chapter 10 A 25 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   CASE STUDY: 512: COMPUTER DATA AS THE TARGET Background and Victimology Oleg Zezev was accused of trying to steal confidential information belonging to Bloomberg L.P. and its customers. Bloomberg L.P. is a multinational financial data company that provides its customers in the international financial community with timely financial information and trading data through a computer network.

  Crime Classification Manual Part II Chapter 10 A 24 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search Warrant Suggestions The search warrant for the offender’s location should list all computers and all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all program CD-ROMs. The search warrant should also include the offender’s Internet accounts.

  Crime Classification Manual Part II Chapter 10 A 23 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigative Considerations The targeted computer should have its hard drive removed and analyzed by special computer software to determine not only the changed data but search for possible Trojan horse software that tests for data checks and then destroys the corrupted data before they can be analyzed.

  Crime Classification Manual Part II Chapter 10 A 22 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. Changes in computer data can be detected if the data were backed up, that is, copies of the data were stored on another computer, CD-ROM, computer disk, or magnetic tape. If backups are available, a computer program can be used to compare files to determine which data were changed. The changes in data could provide clues to the offender.

  Crime Classification Manual Part II Chapter 10 A 21 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Defining Characteristics Victimology. The victims are computers and the data they contain, especially personal computers, attached to the Internet. Malignant software can be transmitted using the Internet, e-mail and spam, computer disks, CD- ROMs, flash cards, and any other form of computer storage.

  Crime Classification Manual Part II Chapter 10 A 20 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   These types of computer crimes can also be considered under the criminal enterprise classification (530). Other crimes within this classification are software piracy and the theft of intellectual property from the computer. Software piracy or theft of intellectual property not on the computer but on electronic media falls into the theft or larceny classification or under criminal enterprise (530).

  Crime Classification Manual Part II Chapter 10 A 19 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   512: COMPUTER DATA AS THE TARGET Crimes with the computer data as the target are changing data, replacing data, or creating new data on the computer. Data such as payroll information, credit history, and stock information are typical targets for this crime. This changing, replacing, or creating fraudulent data such as corporate information for stock fraud or false tax returns is usually associated with securities fraud or wire transfers.

  Crime Classification Manual Part II Chapter 10 A 18 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Search for Warrant Suggestions The search warrant for the offender’s location should list all computers and all forms of computer storage: disks, data CD-ROMs, DVDs, magnetic tapes, external hard drives, mini drives (sometimes called memory sticks), flash memory modules, programming documentation, e-mail addresses (possible sources of malignant software creation programs), the computer and all its peripherals, and all CD-ROMs. The search warrant should also include the offender’s Internet accounts.

  Crime Classification Manual Part II Chapter 10 A 17 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   This special software reads the patterns of ones and zeros from the disk without executing programs on the disk. Offenders typically build in programs during the boot cycle (computer start-up) that require a special password or procedure. If the password or procedure is not followed, the program will erase all files associated with the creation of malignant software.

  Crime Classification Manual Part II Chapter 10 A 16 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigative Considerations The targeted computer should be serviced by another computer or Internet service to scan for malignant software. The offender’s computer should be unplugged (not turned on and not closed if it is on) and taken to a qualified facility where the hard drive will be removed and scanned with special software using another computer.

  Crime Classification Manual Part II Chapter 10 A 15 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Common Forensic Findings. Targeted computers have missing files, slow response and processing speeds, an inability to access antivirus software, or fail to start. The offender’s computer will have malignant software creation tools and copies of the software program. A Trojan horse offender’s computer will also have the addresses of successful implants. The offender’s computer data will be encrypted.

  Crime Classification Manual Part II Chapter 10 A 14 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Victimology. The victims are all computers, especially personal computers, attached to the Internet. Malignant software can be transmitted over the Internet, computer disks, CD-ROMs, flash cards, and any other form of computer storage.

  Crime Classification Manual Part II Chapter 10 A 13 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Another example of a logic bomb is a program that was written to search for a programmer’s social security number; if it was not found, all payroll records would be destroyed on the computer.

  Crime Classification Manual Part II Chapter 10 A 12 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Another harmful program is the logic bomb, a program that destroys data or crashes systems when a certain event occurs. An early example was the one labeled cookie monster. Cookie monster would appear on the screen and say, “Cookie! Cookie! Cookie! Cookie!” and if the user could not type the word cookie into the keyboard fast enough, it would destroy or “eat” a file or files on the computer system.

  Crime Classification Manual Part II Chapter 10 A 11 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The key logger can be used to exploit a user’s financial accounts by posing as the user. Another type of Trojan horse is a program that turns the user system into a spam generator. When spam is sent to the infected computer, it forwards that spam to all the addresses contained in the address books resident on the computer.

  Crime Classification Manual Part II Chapter 10 A 10 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Trojan horses are programs placed on a computer to capture and send information to a third party unbeknown to the computer user. They have been used in cases of identity theft (see classification 521). Another type of Trojan horse captures the user’s keystroke information and searches for personal and financial information. This type of program is called a “key logger.”

  Crime Classification Manual Part II Chapter 10 A 09 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N     Viruses are malicious code embedded in programs or e-mails that damage the computer hardware or software. The worm is code that can damage computer files and programs or slow computer performance; it is delivered by another program or application, usually via e-mail. Viruses and worms were originally delivered by removable media but now can be found in e-mails, e-mail attachments, and free programs available over the Internet. Viruses and worms have also been found embedded in pictures.

  Crime Classification Manual Part II Chapter 10 A 08 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   511: MALIGNANT SOFTWARE Defining Characteristics Malignant software such as viruses, worms, and Trojan horses targets the computer or the software on the computer with the intent to do harm to the computer.

  Crime Classification Manual Part II Chapter 10 A 07 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   These programs go under many names: virus, worms, Trojan horse, spyware, and malware, to name a few. These types of programs fall under the heading of malignant software. Of- fenders who create and proliferate viruses, worms, and Trojan horses are known as hackers.

  Crime Classification Manual Part II Chapter 10 A 06 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Included in this classification are crimes that target the user of the computer, the data stored on the computer, the software on the computer, or the intellectual property or trade secrets on the computer. Software programs have been developed to target computers.

  Crime Classification Manual Part II Chapter 10 A 05 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   510: COMPUTERS AS THE TARGET Computers as the target of the crime occurs when the computer itself is the “victim” of the crime. The computer can also be a target when it or its components (hard drives, monitor, software) are stolen, but these types of crimes are classified under larceny or theft and are not included in the 510 classification.

  Crime Classification Manual Part II Chapter 10 A 04 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Computer crimes are divided into four major classifications: the computer as the target of the crime (510), the computer user as the target (520), criminal enterprise (530), and threats via the Internet (540). Criminal enterprise is where the computer is used as a weapon of the crime, or the computer is incidental to the crime. Threats via the Internet include stalking as well as extortion.

  Crime Classification Manual Part II Chapter 10 A 03 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The computer can be the victim of the crime, the user of the computer can be the victim of the crime, information in the computer can be the target. In addition, criminal enterprises are using computers, and computers are used by criminal’s incidental to the crime.

  Crime Classification Manual Part II Chapter 10 A 02 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   U.S. attorney Michael J. Sullivan said about one case, “Today’s sentence is the result of the juvenile’s guilty plea to both the Massachusetts and Arkansas charges. Computer hacking is not fun and games. Hackers cause real harm to real victims. Would-be hackers, even juveniles when appropriate, should be put on notice that such criminal activity will not be tolerated and that stiff punishments await them if they are caught.”

  Crime Classification Manual Part II Chapter 10 A 01 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Computer Crimes   Crimes involving the computer have emerged as a new class of crimes. The U.S. Attorney’s Office’s Computer Hacking and Intellectual Property Section (CHIPS) was created to prosecute high-technology and intellectual property offenses, including computer intrusions, denial of service attacks, virus and worm proliferation, Internet fraud, and telecommunications fraud.

  Crime Classification Manual Part II Chapter 9 B 69 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   The jury’s foreman said the jury’s main challenge came when deciding the count of elder abuse. The jury had to decide whether the intruder reason- ably should have known the age of the victim. The defendant faced up to eleven years and four months in prison.

  Crime Classification Manual Part II Chapter 9 B 68 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Outcome The twenty-five-year-old intruder, Vasquez-Garcia, was found guilty of two counts of residential burglary, one count of false imprisonment of an elder, and one count of elder abuse. One of the two burglary charges arose from another woman, a seventy-eight-year-old, who contacted investigators after learning of the other incident. She testified at trial that when he was landscaping her yard in April 2004, he had used her bathroom and exposed himself to her.

  Crime Classification Manual Part II Chapter 9 B 67 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Investigation The victim barricaded herself in the bathroom with a telephone, which she used to call her daughter, who called the police. The police arrived to find the assailant’s clothes strewn around the house; he was wearing sweatpants and had a condom in the pocket. He told the police he intended to steal jewelry.  

  Crime Classification Manual Part II Chapter 9 B 66 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Forensic Findings He ate a banana, drank some milk, and fell asleep. He awoke, used the bathroom, got undressed, and exposed himself to the victim but fell back asleep. Swabs of the milk glass were taken as well as fingerprints on broken glass and his clothing.

  Crime Classification Manual Part II Chapter 9 B 65 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N   Crime Scene Indicators The assailant spoke only Spanish, but the victim knew him from his land- scaping her yard in April. After the man calmed down, the victim showed him family pictures, shared stories, and offered him something to eat.

  Crime Classification Manual Part II Chapter 9 B 64 A STANDARD SYSTEM FOR INVESTIGATING AND CLASSIFYING VIOLENT CRIMES SECOND EDITIO N CASE STUDY: 450: BATTERY/ABUSE Case Contributed by Leonard Morgenbesser Victimology A seventy-three-year-old woman awoke in the early morning of July 10, 2004, to the sound of breaking glass. When she opened her door, a man charged inside, grabbed her, muffled her mouth, and made her promise not to call the police.